Web Development

DNSViz: Intimate view of a website's DNS security

DNSSEC is supposed to certify DNS transactions, but how do you know if it's working?DNSViz, that's how.

Domain Name System (DNS) -- arbitration technology that helps number-challenged humans use the Internet -- is in serious, serious trouble. Couldn't tell by me, everything seems fine. Type in TechRepublic.com and the web browser magically retrieves TechRepublic's web page.

What's the problem?

Instead of TechRepublic, go to your Internet-banking website. Now consider this; how do you know it's the real deal? What if it's a copy? One designed by bad guys to capture keystrokes and screen shots -- specifically login information.

Update (17 Jan 2012): I just read a blog post by Brian Krebs where he discusses an application called Simple Phishing Toolkit and how it simplifies setting up a "phishing website".

"The toolkit lives up to its name: It's extremely simple to install and to use. Using a copy of WampServer - a free software bundle that includes Apache, PHP and MySQL - I was able to install the toolkit and create a Gmail phishing campaign in less than five minutes."

The toolkit was designed to educate employees on avoiding fake websites that are phishing for sensitive personal information. It is only a matter of time before nasty types also start using the toolkit.

DNSSEC

Experts all over the world are working hard to resolve issues like misdirection to malicious websites. One solution at the forefront is Domain Name System Security Extensions (DNSSEC), a verification method using Public Key Infrastructure (PKI).

Sadly, DNSSEC is incredibly difficult to understand and implement. That's probably why only a small percentage of companies have incorporated DNSSEC, even though it's been available for the .com domain since April 2011.

So, how does one know if a website is using DNSSEC. One way is to use the DNSSEC test website -- ironic, I know -- by Verisign Labs. The screenshot below shows the test results for www.TechRepublic.com.

You can see the domain techrepulic.com is not using DNSSEC from the red Xs by "No DS records" and "No DNSKEY records". The next screenshot displays the test results for www.Sandia.gov.

The Sandia National Laboratories website is using DNSSEC, probably due to the government mandate that all .gov top-level domains be secured with DNSSEC.

We're not done yet, though. There is something else to consider. Remember my mention of DNSSEC's complexity? Well, Dr. Casey Deccio, computer scientist with Sandia National Laboratories agrees (courtesy of Homeland Security News):

"DNSSEC is hard to configure correctly and has to undergo regular maintenance. It adds a great deal of complexity to IT systems, and if configured improperly or deployed onto servers that aren't fully compatible, it keeps users from accessing .gov sites. They just get error responses."

DNSViz

To help resolve DNSSEC problems, Casey developed a web-based tool called DNSViz:

"It provides a visual analysis of the DNSSEC authentication chain for a domain name and its resolution path in the DNS namespace, made available via a Web browser to any Internet user.

It highlights and describes configuration errors detected by the tool to assist administrators in identifying and fixing DNSSEC-related configuration problems."

One can tell this stuff is complicated, I wasn't getting the intricacies of DNSViz, let alone DNSSEC. So I contacted Casey and asked a few questions.

Kassner: Why did you feel the need to create DNSViz? Deccio: It's no secret that the DNS is inherently insecure. DNSSEC is the mainstream community effort to secure DNS. However, the complexity it adds to regular DNS is non-trivial, from a perspective of both understanding and deployment. Without something to help address this complexity, DNSSEC deployment could be stunted, either because it seems too big of a bite to swallow for businesses and other entities that might otherwise benefit, or because of failure to properly operate it.

DNSViz was intended to take some of the voodoo out of DNSSEC and make it more understandable to those working most closely with it on the engineering and operations sides. It also visually demonstrates DNSSEC to those working less intimately with it, but who can still appreciate a pretty picture.

Kassner: What conditions would signal the need to test a website or other online presence? Deccio: DNSViz provides an at-a-glance view of the security that the TechRepublic domain offers-that is, whether or not DNS resolvers have a way to validate the correctness of a response they've retrieved for the TechRepublic domain. Like a majority of companies, TechRepublic does not have DNSSEC deployed, so it shows "insecure".

There are three primary reasons why someone might use DNSViz to analyze their domain:

  • To see where a domain currently stands, in terms of its DNSSEC status.
  • In conjunction with any DNSSEC maintenance, including initial deployment, as a sanity check.
  • To troubleshoot DNSSEC-related issues with the domain.
Kassner: I type www.TechRepublic.com into DNSViz and click on Go. What happens then? Deccio: DNSViz will produce a graphical representation of the DNSSEC "chain of trust" for www.TechRepublic.com, from the perspective of the last time it was analyzed. If using Firefox or Opera Web browsers, mousing over the various graph components will result in additional information being displayed about the selected components. Names are re-analyzed on a periodic basis, and can be explicitly re-analyzed upon request, if desired. Kassner: I tested www.TechRepublic.com. Here are the results. Would you please describe what we are looking at?

Deccio: One of the most interesting things about DNSSEC is insecurity must be proven-specifically from the top down. The output of TechRepublic.com is a perfect example. The only reason a validating DNSSEC client will accept an unsigned -- or an illegitimately signed, for that matter -- response for TechRepublic.com is because the com zone provides records (NSEC3) proving that no keys are available to validate TechRepublic.com names, as far as com is aware.

The chain of trust extends from the trust anchor at the top (identified by a double border), down through the com zone, and terminates with the NSEC3 nodes. Because the chain is complete through those NSEC3 nodes, a validating resolver knows that it cannot assert anything about the security of a response for TechRepublic.com. Thus records within that domain are labeled as "insecure".

Kassner: What does it mean if a domain fails your test? Deccio: DNSViz is intended to highlight problems with a domain's configuration. If some errors or warnings show up, they typically indicate an inconsistency caused by maintenance neglect, incompatibility, or misconfiguration. Something must be done on the part of the domain's operator to remedy such issues.

DNSViz is by no means a finished product. In the future, I hope to provide additional aids to resolve any problems detected by the tool, include a historical analysis, address general name resolution problems, and some additional features. We're seeking additional funding and collaboration opportunities to make these extensions possible and make DNSViz a more resourceful tool. I would invite organizations with the right kind of technical expertise and interest in this kind of security tool to contact me at Sandia.

Kassner: I sense frustration among experts who are expending tremendous effort trying to get DNSSEC more fully incorporated. Do you share their concern? Deccio: Deployment of DNSSEC, or any other technology for that matter, requires both the technical pathway and incentive. The technical pathway became a reality with the 2010 signing of the root zone and the signing of other major top-level domains.

Many businesses and other entities have yet to see the incentive for deployment. Being familiar with the deployment complexities, I understand that:

  • DNSSEC is not necessarily for everyone-why incur the overhead, if the net gain for a domain is minimal.
  • There are many who can benefit from DNSSEC deployment, but haven't put forth any effort to further it.

I think the Internet community can learn a couple of things from this. It is possible that the DNS-security solutions we have aren't palatable in their current state, and as they evolve -- either in available tools, protocols, or deployment -- they will be adopted by those that are waiting on the edge.

While we continue encouraging folks to engage in DNSSEC deployment efforts, we must improve and simplify our current solution set.

Kassner: I'm interested in why individuals become passionate about a certain technology, particularly a challenging one like DNS security. What in this field grabbed your interest enough to pursue it so intensely? Deccio: There are a lot of open problems with the DNS, and the community is quite active, even though DNS is over 25 years old. The field is open enough to benefit from academic research, as well as engineering; and solutions from both areas address a problem that is real and affects all Internet users.

Final thoughts

I wanted to mention that Sandia National Laboratories released a video of Communications Officer Mike Janes interviewing Casey. The video walks through the intimacies of DNSViz.

DNSSEC or something similar is needed. Otherwise, circumstances will degrade to a point where no one will trust the Internet. Thanks to efforts by DNS experts like Casey Deccio, maybe more companies will start implementing DNSSEC.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

13 comments
Doug Vitale
Doug Vitale

Hi Mike, in response to your statement that DNSSec is "difficult to understand and implement", readers of this article should be aware that the Internet Society (the "organizational home" of the IETF and IAB) has created a special website dedicated to helping administrators better understand and implement DNSSec. http://www.internetsociety.org/deploy360/dnssec/

seanferd
seanferd

Hopefully, a better implementation of DNSSEC will be developed, or maybe something different. (Like DNSCurve.) Plenty of professionally operated domains can't get normal DNS configuration right. For a quick web-based check, this can show you some things about DNSSEC for a domain, but it is not remotely a tool like DNSViz. It checks for DS and DNSKEY records, among the standard tests. It's the only one I know which does. http://dnscheck.iis.se/#dnscheck TR sample: http://dnscheck.iis.se/?time=1326841118&id=2128211&view=advanced&test=standard

Craig_B
Craig_B

I checked several large domains and nothing in .com seems to be using DNSSEC, only the .gov sites that I tested came up OK. DNSSEC sounds like a good idea however just like other security ideas, many people don't quite appear ready to implement it.

JasonAlaska
JasonAlaska

Even if you implement DNSSEC on your side, it all depends on the registar if they support it to allow you to upload your DS records to the parent servers. Some registars such as Godaddy and GKG both allow this, but others like Network Solutions have no idea.

Michael Kassner
Michael Kassner

New post. DNS traffic is easily spoofed. That's why they created DNSSEC. But, how do you know DNSSEC is working? DNSViz is one way. Check it out.

Michael Kassner
Michael Kassner

Anything to help. I wish more would jump on the bandwagon.

Michael Kassner
Michael Kassner

It sounds like DNSCurve is DNSSEC and DNSCrypt combined. My only concern is that you have to trust their servers.

Michael Kassner
Michael Kassner

Is that the bad guys need the Internet healthy as well. If they could figure out a work around, I suspect it would get real ugly, fast.

seanferd
seanferd

They were granted a practical monopoly for nothing back in the early days. I haven't checked myself, but companies like NS should be in the lead on things like DNSSEC.

Michael Kassner
Michael Kassner

I think that is what Casey was referring to; the need to motivate entities to implement DNSSEC. But, as Casey also mentioned DNSSEC is complicated. Finally, if I understand correctly, there is a performance hit as well.

Craig_B
Craig_B

It almost seems like we need internet DNA, just as human DNA allows us to be sure that person A's DNA belongs to person A, we need to know computer/packet/data B belongs to B. Of course we may have some privacy issues then. I guess it's always a balance between security, ease of use and privacy.

Editor's Picks